Split filter plugin v3.1.6

Getting Help

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.
For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

The split filter clones an event by splitting one of its fields and
placing each value resulting from the split into a clone of the original
event. The field being split can either be a string or an array.

An example use case of this filter is for taking output from the
exec input plugin which emits one event for
the whole output of a command and splitting that output by newline -
making each line an event.

Split filter can also be used to split array fields in events into individual events.
A very common pattern in JSON & XML is to make use of lists to group data together.

If the event has field "somefield" == "hello" this filter, on success,
would add field foo_hello if it is present, with the
value above and the %{host} piece replaced with that value from the
event. The second example would also add a hardcoded field.

id

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type, for example, if you have 2 split filters.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

If the event has field "somefield" == "hello" this filter, on success,
would remove the tag foo_hello if it is present. The second example
would remove a sad, unwanted tag as well.
:plugin: split
:type: filter